Enterprise Server external security using an LDAP security manager must be configured and enabled for the region.
-
In the LDAP repository, in the resource container (default
CN=Enterprise Server Resources), create the class container
CN=Communications Server, if it does not already exist.
-
In the class container
CN=Communications Server, create the resource access control objects
CN=Enterprise Server Console Log and
CN=Communications Server Log, if they do not already exist. Use the LDAP class
microfocus-MFDS-Resource, unless a different resource class is specified in your Security Manager configuration (this is rare).
Access to the console and communications logs through the administration web interfaces (or by HTTP requests directly to the
communications server) is now restricted by these objects. The logs cannot be viewed remotely unless Access Control Lists
(ACLs) are set.
Note: When security is enabled for an Enterprise Server log, Enterprise Server uses HTTP Basic Authentication to request a username
and password. To avoid credentials being sent in plaintext over the network, configure SSL for the region's Communications
Servers. The username and password are validated, and then the user's identity is checked against the Access Control List.
-
Edit the
CN=Enterprise Server Console Log and
CN=Communications Server Log objects to specify access to the console and communications logs, respectively. Edit the value of the attribute
microfocus-MFDS-Resource-ACE to add one or more Access Control Entries granting access to the log.
-
Save your changes to the LDAP data and either restart the region or send it a Security Update notification.
Your new settings will take effect.
For example, the access control entry
allow:SYSAD:read will allow the SYSAD user to retrieve the log over HTTP and view it in the web administration interfaces.